ASA License

Answered Question
Sep 9th, 2010
User Badges:

I am setting up a secondary ASA. From what I see the license between both ASAs are different but they guy who purchase the license said it will work. From what I understand it doesn't look right. Can someone please confirm will setting up the failover work with the licenses doesn't match exact or what is the minimum match in order to have the failover work.


Pirmary

Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 50       
Inside Hosts                 : Unlimited
Failover                     : Disabled
VPN-DES                      : Enabled  
VPN-3DES-AES                 : Enabled  
Security Contexts            : 0        
GTP/GPRS                     : Disabled 
SSL VPN Peers                : 25       
Total VPN Peers              : 250      
Shared License               : Disabled
AnyConnect for Mobile        : Disabled 
AnyConnect for Linksys phone : Disabled 
AnyConnect Essentials        : Disabled 
Advanced Endpoint Assessment : Disabled 
UC Phone Proxy Sessions      : 50       
Total UC Proxy Sessions      : 50       
Botnet Traffic Filter        : Disabled


Secondary

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs               : 25       
Inside Hosts                : Unlimited
Failover                    : Active/Standby
VPN-DES                     : Enabled  
VPN-3DES-AES                : Enabled  
Security Contexts           : 0        
GTP/GPRS                    : Disabled 
VPN Peers                   : 150
   


Thanks for you input.

Correct Answer by Allen P Chen about 6 years 7 months ago

Hello,


The Security Plus license is missing from the Primary ASA, which is why failover is not supported.  Please take a look at the "High-availability support" section in the link below, notice that failover is not supported unless it has the Security Plus license:


http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html


Hope this helps.

Correct Answer by Panos Kampanakis about 6 years 7 months ago

Yes, you need to have a matching feature set in 8.2.

In 8.3 you can share VPN users license on the units.


I hope it makes sense.


PK

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Allen P Chen Thu, 09/09/2010 - 11:07
User Badges:
  • Cisco Employee,

Hello,


It looks like failover is disabled on the Primary ASA, so failover will not work:


Pirmary

Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 50       
Inside Hosts                 : Unlimited
Failover                     : Disabled
VPN-DES                      : Enabled  
VPN-3DES-AES                 : Enabled  
Security Contexts            : 0        
GTP/GPRS                     : Disabled 
SSL VPN Peers                : 25       
Total VPN Peers              : 250      
Shared License               : Disabled
AnyConnect for Mobile        : Disabled 
AnyConnect for Linksys phone : Disabled 
AnyConnect Essentials        : Disabled 
Advanced Endpoint Assessment : Disabled 
UC Phone Proxy Sessions      : 50       
Total UC Proxy Sessions      : 50       
Botnet Traffic Filter        : Disabled


Are the two ASAs running the same software version?  Which license is installed on both units?  In the output of "show version", there should be something that states "This platform has an ASA.......license".


Please advise.

joe.ho Thu, 09/09/2010 - 11:18
User Badges:

Good catch about the version. Sorry I didn't post the correct one. Here they are.


Primary

TOR-FW1# sh ver

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)

Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"

TOR-FW1 up 142 days 1 hour

Hardware:   ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0         : address is 0024.97fa.e49c, irq 9
1: Ext: Ethernet0/1         : address is 0024.97fa.e49d, irq 9
2: Ext: Ethernet0/2         : address is 0024.97fa.e49e, irq 9
3: Ext: Ethernet0/3         : address is 0024.97fa.e49f, irq 9
4: Ext: Management0/0       : address is 0024.97fa.e4a0, irq 11
5: Int: Not used            : irq 11
6: Int: Not used            : irq 5
             
Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 50       
Inside Hosts                 : Unlimited
Failover                     : Disabled
VPN-DES                      : Enabled  
VPN-3DES-AES                 : Enabled  
Security Contexts            : 0        
GTP/GPRS                     : Disabled 
SSL VPN Peers                : 25       
Total VPN Peers              : 250      
Shared License               : Disabled
AnyConnect for Mobile        : Disabled 
AnyConnect for Linksys phone : Disabled 
AnyConnect Essentials        : Disabled 
Advanced Endpoint Assessment : Disabled 
UC Phone Proxy Sessions      : 50       
Total UC Proxy Sessions      : 50       
Botnet Traffic Filter        : Disabled

This platform has a Base license.


Secondary

ciscoasa# sh ver

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)

Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 9 secs

Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0         : address is c84c.7552.110a, irq 9
1: Ext: Ethernet0/1         : address is c84c.7552.110b, irq 9
2: Ext: Ethernet0/2         : address is c84c.7552.110c, irq 9
3: Ext: Ethernet0/3         : address is c84c.7552.110d, irq 9
4: Ext: Management0/0       : address is c84c.7552.110e, irq 11
5: Int: Not used            : irq 11
6: Int: Not used            : irq 5
             
Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 100      
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled  
VPN-3DES-AES                 : Enabled  
Security Contexts            : 2        
GTP/GPRS                     : Disabled 
SSL VPN Peers                : 25       
Total VPN Peers              : 250      
Shared License               : Disabled
AnyConnect for Mobile        : Disabled 
AnyConnect for Linksys phone : Disabled 
AnyConnect Essentials        : Disabled 
Advanced Endpoint Assessment : Disabled 
UC Phone Proxy Sessions      : 50       
Total UC Proxy Sessions      : 50       
Botnet Traffic Filter        : Disabled

This platform has an ASA 5510 Security Plus license.

Panos Kampanakis Thu, 09/09/2010 - 11:30
User Badges:
  • Cisco Employee,

Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 50       
Inside Hosts                 : Unlimited
Failover                     : Disabled


Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 100      
Inside Hosts                 : Unlimited
Failover                     : Active/Active


Indeed you have a license issue. Both units will need to have a license that supports failover in order for failover to work.


I hope it helps.



PK

joe.ho Thu, 09/09/2010 - 11:34
User Badges:

How about security context and max vlan, will that be an issue if not match? Will they take the lowest value after they setup for failover?

Correct Answer
Panos Kampanakis Thu, 09/09/2010 - 11:41
User Badges:
  • Cisco Employee,

Yes, you need to have a matching feature set in 8.2.

In 8.3 you can share VPN users license on the units.


I hope it makes sense.


PK

Correct Answer
Allen P Chen Thu, 09/09/2010 - 12:07
User Badges:
  • Cisco Employee,

Hello,


The Security Plus license is missing from the Primary ASA, which is why failover is not supported.  Please take a look at the "High-availability support" section in the link below, notice that failover is not supported unless it has the Security Plus license:


http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html


Hope this helps.

joe.ho Thu, 09/09/2010 - 12:18
User Badges:

Thank you very much for all your help. Cheers!

Actions

This Discussion

Related Content